Password-Based Simsec Protocol

Home , Encrypted key exchange, Speke, XTR

DUJE (Dicle University Journal of Engineering) 11:3 (2020) Page 1021-1030

Research Article Password-Based SIMSec Protocol

Sedat AKLEYLEK1,*, Engin KARACAN 2 1 Ondokuz Mayıs University, Department of Computer Engineering Engineering, Engineering Faculty, Samsun, Turkey [email protected] https://orcid.org/0000-0002-2306-6008

2 Ondokuz Mayıs University, Computational Sciences Program, Graduate School of Sciences, Samsun, Turkey [email protected] https://orcid.org/0000-0002-2306-6008

ARTICLE INFO ABSTRACT

Article history:

Received 17 June 2020 The purpose of the SIMSec protocol is to provide the infrastructure to enable secured access between the Received in revised form 25 August 2020 SIM (Subscriber Identity Module) card which doesn’t have an ephemeral key installed during production Accepted 30 August 2020 and the service provider. This infrastructure has a form based on agreements among the mobile network Available online 30 September 2020 manufacturer, the user, the service provider and the card manufacturer. In order to secure transactions, authentication methods are used based on the fact that both parties can verify that they are the parties Keywords : they claim to be. In this study, the key exchange and authentication models in the literature have been surveyed and the password-based authentication model is chosen. For the SIMSec protocol, the Authentication, Key, Exchange, password-based authentication algorithm is integrated into the SIMSec protocol. Thanks to the proposed SIMSec new structure, phase differences in the SIMSec protocol are shown. As a result, a new key exchange

protocol is proposed for SIM cards.

Doi: 10.24012/dumf.753942

* Corresponding author Sedat, Akleylek  [email protected]

Please cite this article in press as S. Akleylek, E. Karacan, “Password-Based SIMSec Protocol”, DUJE, vol. 11, no.3, pp. 1021-1030, September 2020. 1

DUJE (Dicle University Journal of Engineering) 11:3 (2020) Page 1021-1030

Introduction been produced and the secret key has not been When the development process of loaded. communication technology is examined, it is Various different models have been investigated seen that mobile phones cover a great place. It to provide for secure communication of SIM has been observed that mobile phone usage areas technology. In some of these models, secret keys have increased in proportion to time so far. At were assigned during production process [3-8]. the beginning mobile phones were served to However in [3], while secret keys weren’t users for voice calls and short message services. assigned during production process, it was With the advances in communication proposed that keys that they developed assign technology, it has helped secure transactions exchange protocol stack to SIM technology for such as mobile banking, mobile signature and providing secure communication. mobile payment through the developing system. This study will be categorized into four sections. Thanks to these developments, cash out In the first section, the literature review and the transactions, online shopping, credit card usage, content of the study are described. Section 2 online payments, e-commerce and the like can based on the latest years usage of smartphones be secured safely via SIM on today's devices and smart devices that work with SIM, the [1,2,3]. The secure provision of these services infrastructures and the mathematical structures depends on the security of communications of the key exchange and authentication models between the service providers and the SIM. SIM in the literature are examined for the security of technology has been developing every year. SIM SIM technology. It is mentioned the differences memory sizes update itself with advancing between analyzed models. In Section 3 to ensure technology. These SIMs are installed by card SIM security password-based SIMSEC protocol manufacturers with ephemeral key protocols to is proposed and the infrastructure of the method ensure secured access between service providers is shown mathematically. In the last section, the and the SIM. In this study, transaction and results obtained in the study and the studies that memory costs are taken into consideration with a are aimed to be done in the future are given and similar mentality in SIMSec protocol. a hybrid model is presented using the password- Key exchange can be defined as a protocol for based key exchange model and SIMSec protocol two mutual parties to negotiate a secret key. The together. It is stated that reliable models will be authentication method can be defined again as a studied on providing the infrastructure enabling protocol that are established by verifying that the secured access between SIM cards that are not two parties are the parties they are claiming loaded with an ephemeral key during the each other to be. Key exchange and production and service provider. authentication methods for the secured access of Key Exchange and Authentication Models the parties take an important place in the literature. This section summarizes the working principles and mathematical backgrounds of password- Related Works: based password-protected models from key Today, SIM Cards (64kb 128kb 356kb 512kb) exchange and authentication models in a study with different capacities are produced by card [9,10]. The notations and parameters used in all manufacturers. Secret keys are loaded on these models discussed throughout the study are given cards during production in order to provide end- in Table 1. to-end secure communication over the produced cards. With the developing technology, communication security can be attacked. The attacker can cause problems by attacking this communication channel, such as changing data, listening and breaking data [1,2]. End-to-end communication has been made safer with the suggestion presented in this paper. A new key exchange protocol is proposed to the SIM cards with the presented method, where the card has

1022

DUJE (Dicle University Journal of Engineering) 11:3 (2020) Page 1021-1030

Table 1. Notations Password–based protocol (PAK)

Parameters Definitions The biggest problem in the password-based π Password of client protocol (PAK) model is to estimate the π value of the client [12,13]. If the attacker knows the p Large prime number of at least 1024 bits value π and has an idea of how the algorithm q g / p-1 prime number will work, the attacker can find all tA, tB values. G Zp subgroup An attacker could damage the communication g Generator of group G information between the parties. Therefore, rA, rB Figures randomly selected in the session Bellare has customized the key generation Zp Set of integers with elements 0 to p-1 function to make it difficult to find the session rA rB tA, tB tA= g tB= g key. However, the symmetric encryption xA, xB Client and server’s private long passwords algorithm used in the protocol must provide ZAB Shared information (secret) randomness characteristics. Boyko obtained the KAB Derived session key “P” value by using relatively prime values [14] Hİ (.) Unicast sum functions. H1 H2 H3… between r and q in the protocol set called PAK. With the help of these values, the switch in Diffie-Hellman encrypted key exchange group G was produced. The proposed key (EKE) exchange protocol is given in Figure 2 [15]. Encrypted key exchange In the Diffie-Hellman- Since the PAK protocol uses the summary EKE model is that a shared key is encrypted function and the “r” value in calculating P, the with a public key by using the password and is cost is higher than Diffie-Hellman. Another sent from client to server so that the client and difference between the two protocols is the server can communicate securely [11]. Only the customization of the key generation function. party who knows the password can complete the So, the authentication mechanism was added. protocol. The flow of this protocol is given in Figure 1 [11,12].

rA rB ZAB= (g ) rB rA ZAB= (g )

rB rA rA rB ZAB= (g ) ZAB= (g )

Fig. 1. Diffie-Hellman-EKE This protocol was developed against “partition” attacks. According to this idea, the attacker who guesses the password can check whether the values tA and tB are valid. This set of protocols is based on the difficulty of finding the parameters selected by the attacker [12]. Fig. 2. Password–based Protocol (PAK)

1023

DUJE (Dicle University Journal of Engineering) 11:3 (2020) Page 1021-1030

Password protected key exchange (PPK)

r.r-1 ≡ 1 mod q

P P

푚 푚 1 푚 푚 푡 = = = ℎ−q ሺ푚표푑 푞ሻ = 퐴 ℎq . 푃 푃 ℎq 푃 푃

rB rA rA rB rB rA rA rB ZAB= (g ) ZAB= (g ) ZAB= (g ) ZAB= (g )

Fig. 3. Password protected key exchange protocol (PPK) Fig. 4. Password–based protocol-R protocol (PAK-R) In the password protected key exchange (PPK) model, it is harder for an attacker to obtain the Password–based protocol-Y (PAK-Y) “π” value. The client calculates P1 and P2 using The PAK-Y model, called the Y-password-based the values “π” and “r”[14]. This brings an extra key exchange protocol, refers to the PAK model calculation cost for the client. The PPK model is as the PAK-R model [18]. The problem in this shown in Figure 3 [14, 16]. model as well is that the attacker finds the π Password–based protocol-R (PAK-R) value that the client has. As with the PAK model, an attacker can find all tA, tB values if he The R-password-based protocol (PAK-R) refers has any idea about the π parameter and the to the PAK model [16,17]. The main difference algorithm. In order to avoid this situation, it is with PAK is that the calculation costs of the made difficult to find π value in PAK-Y model. client is transferred to the server. In the PAK-R The “v” function is defined to provide this model, many operations are performed on the difficulty. “V” is defined by the client with the server. In this way, the cost balance between the value “v”. The hash value of the defined client and the server is achieved. For an attacker expression is also computed. In this way, it is it is difficult to estimate the client or the server. made difficult to reach “π” value for the attacker. Therefore, it becomes efficient to use even in Schnorr signature was added in the devices with low computational power. Another authentication section and the protocol set was difference is; The “tA” value calculated on the terminated. The PAK-Y model is shown in server-side is customized. The PAK-R model is Figure 5 [18,19]. shown in Figure 4 [16, 17]. In this protocol, the tA value for computing the information shared by the server; As with other models, no additional calculation has been made on the server side. The value is obtained by processing in the “m” message from the client.

1024

DUJE (Dicle University Journal of Engineering) 11:3 (2020) Page 1021-1030

integers in the mode p and q bases. As for this 푚 model, for each session, any value between 1 = 푡 = 𝑔푟퐴 L 푃 퐴 and 2 is chosen instead of randomly chosen temporary key values of rA, rB . SPEKE protocol is given in Figure 6 and there is no security proof for this protocol [19,20].

rA rB ZAB= (g ) rB rA ZAB= (g ) rA rB ZAB= (P )

rB rA ZAB= (P )

Fig. 5. Password–based protocol-Y protocol (PAK-Y) Secure password exponential key exchange (SPEKE) Fig. 6. Secure password exponential key In another model, the security encrypted exchange protocol (SPEKE) exponential key exchange model (SPEKE), and the security dimension of the transactions are B-Secure password exponential key exchange increased by using “P” instead of g in Diffie- (B-SPEKE) Hellman EKE [19]. P is defined as π2. In the Security password exponential key exchange-B PAK protocol, the calculation cost and (B-SPEKE) is an improvement of the SPEKE 2 processing power of P’ (π ) is lower than the model [21]. This model uses two password r calculation cost of the function H1 (A, B, π) messages. The first one is the ZAB value, the .Given the client's computing power, calculating other one is value. The Z value is sent to P = π2 is inappreciable enough for the client to ZAB AB ignore. the other party by taking the summary function against the risk of attack by the attacker. It is The calculation costs in Diffie-Hellman depends aimed to make the model more secure by on the size of rA and rB exponents. Parameter selections are made according to security levels. using ZAB value. Verification is performed with

The difference of SPEKE and PAK is that it is two (ZAB, ZAB ) different shared information easier calculating P with SPEKE since the values. summary value H and the temporary key (rA and rB) values are not processed. Models in other The protocol set is terminated with session keys studies examined that the temporary key values generated after passing these validators. Unlike “rA, rB” were randomly selected from the set of PAK models, in the B-SPEKE protocol given in

1025

DUJE (Dicle University Journal of Engineering) 11:3 (2020) Page 1021-1030

Figure 7, randomly selected transient key values integers and tA values are sent directly by the for each session are selected from any value client to the server through the transitions. between 1 and 2L values as in SPEKE [21,22]. Shared information and session key functions have been customized by adding additional parameters to prevent the attacker from making the communication unsafe. The SRP protocol is given in Figure 8 [23].

rA rB ZAB= (P ) rB rA ZAB= (P )

π ZAB = ( ) ZAB = (π)

Fig. 7. B-Secure password exponential key rB rA + u H(s, π) exchange (B- SPEKE) protocol ZAB = ( V+ g – V)

rB rA H(s, π)u) rB Secure remote password (SRP) ZAB = (g ) . g

The Security remote password (SRP) model is based on the importance of the “u” value [23]. tA V

The purpose of selecting “u” is to ensure that the u rB ZAB = (푡 . V ) client knows π. The first message is defined in 퐴 the protocol when the client knows the “V” value. It is made difficult by the attacker to Fig. 8. Secure remote password protocol estimate the value of “u”, by randomly assigning “u” value by the server in each session. In this Authentication via memorable password way, communication becomes secure. The (AMP) Communication doesn’t start immediately after you verify the session key. The second Calculating of shared (secret) information values authentication is done by taking the hash value differ in authentication via memorable password and the protocol terminates when it is verified model [24]. The ZAB value is calculated by using that the other party is the person claimed. “e” which is the summary of tA and T values. Temporary key values are selected in”mod q” Here, as in SRP, after the session key is

1026

DUJE (Dicle University Journal of Engineering) 11:3 (2020) Page 1021-1030 validated, the communication does not start Fig. 9. Authentication via memorable password immediately and the second authentication is protocol. performed by taking the summary value. The It is observed that parameter values differed in protocol terminates when it is confirmed that the other party is claimed person. The generated these models. Selected parameter values are AMP protocol is given in Figure 9. There is no selected from different sets. In this way, newly security proof for SRP and AMP protocols [24]. produced functions are introduced. Table 2 Table 2. Client and server cost and the number of phases

Models Client Server

messages messages

Number of

functions functions

Number of Number of

(transmission)

exponentiations exponentiations

Number of Hash Number of Hash EKE 0 2 0 2 4 PAK 4 2 3 2 3 T PPK 3 2 1 2 2

rB .( rA+e) / (rA+ x) PAK-R 4 3 3 3 3 ZAB = ( tA . V) PAK-Y 4 4 4 2 3 SPEKE 2 2 2 2 3 rB H(s, π) x . g g ≡ B- SPEKE 3 3 2 4 3

( rA+x). (rB.(rA+e) / (rA+ x)) rA e rB SRP 1 3 1 2 4 ZAB = g = (g .g ) AMP 4 2 3 2 4 This paper 4 2 3 2 3 u rB ZAB = (푡퐴. V ) provides information about the transmission and usage of the shared information that constitutes

these models and the password of the client. Table 3.Differences and usage of parameters

π tA tA tB ZAB ZAB

rB rA EKE π π ------ZAB = (g ) r r r rB rA PAK P = H1(A, B, π ) P = H1(A, B, π ) P2 = H2(A, B, π ) ZAB = (g ) r r rB rA PPK P2 = H2(A, B, π ) P1 = H1(A, B, π ) ------ZAB = (g ) r P1 = H1(A, B, π ) q q rB rA PAK-R m = tA . h . H1(A, B, π ) h . H1(A, B, π ) ------ZAB = (g ) r r rB rA PAK-Y m = tA . H1 (A, B, V) H1 (A, B, V) ------ZAB = (g ) 2 rB rA SPEKE P = π ------ZAB = (P )

2 B-SPEKE P = H(π) ------π rB ZAB =(g )

rA rB ZAB = (P ) H(s, π) rB u rB SRP V = g ------S = V + g ZAB= (tA . V )

H(s, π) e rB AMP V = g ------ZAB = (tA . g )

This PAPER V tSS ZSS->SK ------a P = H1(IDSIM,V ) P = H1(IDSIM,V ) ZSS->SK = tSK

1027

DUJE (Dicle University Journal of Engineering) 11:3 (2020) Page 1021-1030

The transmission of these parameters varies in the models. Some models have transmission confidentiality, while others have been ignored. Transmission confidentiality has been strengthened by these operations during transmission. Another advantage is the difficulty of computing the password-accepted parameters for models by the attacker. With some models the parameters that make up these protocols are transmitted to the opposite side without any parameters being processed. And with other models, they are processed with other parameters. The hash functions and exponential expressions used in these models are of great importance. The calculation costs of the client and server parts of these models are calculated according to the number of uses and the upper dimensions of the different summary functions. The scarcity of Fig. 10. Secure communication between service these transactions decreases the cost account. provider and SIM These cost accounts are observed to differ The transactions among mobile network between the client and server, and these operator, user, service provider and card differences were found to be distinctive by the manufacturer are expressed as follows. attacker. It is understood that a balanced distribution of the cost account by the client and In the secure communication between the server is a better solution for protocol sets. The service provider and the SIM, the SIM is first phases of these values and the number of passing provided to the user by the MNO. For the is presented in Table 3. service provider to use the SIM, an agreement is made between the service provider and MNO. Authorized Key Exchange for SIMSEC This agreement is notified to the card maker. In Protocol addition to this, the SIM, which has an In this section, a protocol is proposed to enable agreement between the card and the service secure communication between the service provider makes a key exhange. (the encryption provider and the SIM which did not have a key is transmitted to the service provider). By secret key installed during production. downloading the application from step 5 in Password-based authentication algorithm offers Figure 10, secure encrypted communication is an integrated approach to the SIMSec protocol. provided between the service provider and the Secure communication between the service SIM Card. The proposed protocol is summarized provider and the SIM must be extremely safe. step by step in Figure 11. SIM mobile service provider, IMSI The service provider calculates the P value by (international mobile subscriber identity) generating a random variable called V, which is international identification number, ICCID 10 characters long, as shown in the first step in (integrated circuit card ID) card number, LAI Figure 11. In the protocol known only by the (local area identity) area code, K (authentication i service provider, the value of “a” randomly key) authentication key, SMSC (short message generated by the service provider is used as the service center) the short message service upper value of the exponentiation process. number and the SPN (service providers number) Length is 384-bit, adhering to the standard. After store data about the service provide [25]. creating a value, ga is calculated and t value is Figure 10 illustrates how these operations are ss obtained. The P value created with this value is performed. processed and sent to the SIM card. The SIM card calculates the tss value after checking

1028

DUJE (Dicle University Journal of Engineering) 11:3 (2020) Page 1021-1030 whether the incoming value is empty. The value of V and has an idea of how the algorithm b is then set to 384-bit, the length of which is works, he can find all tss, tsk values. An attacker bound to the standard. The tsk value is then could damage the communication information calculated. By using the t value sent from the between the parties. Therefore, V must be ss selected randomly. other party, the shared information ZSS-> SK value is obtained. The security analysis of the SIMSEC protocol is examined in three different attacker types;

➢ An attacker in the SMS channel who knows the public values g and p can execute an attack through the key exchange protocol.

➢ Although the MNO is known as a thrustworthy institution there is an employee risk. Individual employees

could acces IDSIM and perform an attack on the SMS channel. Therefore MNO employees can’t be trusted on an individual basis. ➢ Another type of attacker is that; another service provider may have previously entered into an agreement with MNO and executed the key generation protocol with the SIM card. In this case, this service provider knows the IDSIM data and therefore can attack the key exchange protocol by knowing the IDSIM value and the public g and p values. Fig.11. Password-based Key Exchange for Diffie-Hellman algorithm is used on SIMSec SIMSEC Protocol basis. It is not possible to calculate the numbers b a a b The SIM card calculates the X value defined in (g ) (mode n) and (g ) (mode n) in this step 10 in Figure 13 and sends it to the service algorithm by those who do not know the numbers a or b. To generate the same key, the provider along with the tsk value. The service provider obtains the shared information Z attacker must be able to obtain one of these two SS-> SK numbers. In the SIMSec key generation value by means of the sent tsk value. It then calculates the value X' in step 12 given in Figure protocol, key confidentiality between the SIM 13, which is the same as the X value. If the two card and the service provider is ensured in this results are equal (only the service provider and way. the SIM card know the V value), the service provider verifies the identity of the SIM card. Conclusion and Future Works Otherwise, the protocol is terminated. Models are examined for secure communication The service provider also calculates the Y value between SIM Card and service provider. The defined in step 13 of Figure 13 and sends it to biggest limitation of SIMs is their low capacity the SIM card. The SIM card calculates the Y and processing power. In this study, these value in step 14 of Figure 13, which is the same limitations are ignored. A protocol has been as the Y value. The only difference found when proposed to enable secure communication calculating the Y' value is that the hash function b a a b between the service provider and the SIM which (g ) is replaced with (g ) instead. Since these doesn’t have a secret key installed during two values are the same, the results of the hash production. This set of protocols has been function will be the same. The SIM card and integrated into the SIMSec protocol and service providers agree on CSR-> SK and the protocol is terminated. introduced a new approach. As a future study, a reliable post-quantum protocol will be studied. The biggest problem in this approach; It is a problem of estimating the V value owned by the This method verifies each other's identities, service provider. If the attacker knows the value protected data integrity with a new approach,

1029

DUJE (Dicle University Journal of Engineering) 11:3 (2020) Page 1021-1030

and increased security against Man-in-the- [9] Schnorr, C. P. (1989, August). Efficient identification middle attack and replay attacks. With this and signatures for smart cards. In Conference on the Theory proposed perspective, attacks that can be carried and Application of Cryptology (pp. 239-252). Springer, New out over the values that are open to everyone are York, NY. made more secure thanks to the directed [10] Boyd, C., Mathuria, A., & Stebila, D. (2003). Protocols algorithm. Secure communications will continue for authentication and key establishment (Vol. 1). Heidelberg: Springer. as attacks that may occur through the key that [11] Shor, P. W. (1994, November). Algorithms for any employee at a different service provider quantum computation: discrete logarithms and factoring. knows will not go through verification from the In Proceedings 35th annual symposium on foundations of other party. computer science (pp. 124-134). Ieee. For post-quantum, the Shor algorithm [11] [12] Bellovin, S. M., & Merritt, M. (1992). Encrypted key makes traditional public-key cryptography exchange: Password-based protocols secure against systems insecure, based on problems that are dictionary attacks.. computationally hard for today’s technology. [13] Bellare, M., Pointcheval, D., & Rogaway, P. (2000, This development has made the communication May). Authenticated key exchange secure against dictionary of computers after quantum insecure and attacks. In International conference on the theory and necessitated the creation of reliable structures applications of cryptographic techniques (pp. 139-155). that can replace the systems. Based on this Springer, Berlin, Heidelberg. requirement, a new key exchange protocol will [14] Boyko, V., MacKenzie, P., & Patel, S. (2000, May). be proposed in order to provide the infrastructure Provably secure password-authenticated key exchange using enabling secure communication between SIM Diffie-Hellman. In International Conference on the Theory cards that have not been loaded with secret key and Applications of Cryptographic Techniques (pp. 156- during production and service provider. 171). Springer, Berlin, Heidelberg. [15] MacKenzie, P. (2002). The PAK suite: Protocols for References password-authenticated key exchange. In IEEE P1363. 2. [16] Mackenzie, P. (2001, April). More efficient password- [1] He, S., & Paar, I. C. (2007, July). SIM card security. authenticated key exchange. In Cryptographers’ Track at the In Seminar Work, Ruhr-University of Bochum RSA Conference (pp. 361-377). Springer, Berlin, Heidelberg. [2] Kapoor, V., Abraham, V. S., & Singh, R. (2008). Elliptic [17] Lenstra, A. K., & Verheul, E. R. (2000, August). The curve cryptography. Ubiquity, 2008(May), 1-8. XTR public key system. In Annual International Cryptology [3] Ok, K., Coskun, V., Yarman, S. B., Cevikbas, C., & Conference (pp. 1-19). Springer, Berlin, Heidelberg. Ozdenizci, B. (2016). SIMSec: A key exchange protocol [18] Jablon, D. P. (1996). Strong password-only between SIM card and service provider. Wireless Personal authenticated key exchange. ACM SIGCOMM Computer Communications, 89(4), 1371-1390. Communication Review, 26(5), 5-26. [4] Rongyu, H., Guolei, Z., Chaowen, C., Hui, X., Xi, Q., & [19] MacKenzie, P. (2001). On the Security of the SPEKE Zheng, Q. (2009). A PK-SIM card based end-to-end security Password-Authenticated Key Exchange Protocol. IACR framework for SMS. Computer Standards & Cryptol. ePrint Arch., 2001, 57. Interfaces, 31(4), 629-641. [20] IEEE P1363 Working Group. (2003). Standard [5] Li, Y., Chen, M., & Nie, J. (2011, September). Mobile specifications for password-based public-key cryptographic commerce security model construction based on sms. techniques. IEEE P1363. 2/D11. In 2011 7th International Conference on Wireless [21] Perlman, R., & Kaufman, C. (2001, August). PDM: A Communications, Networking and Mobile Computing (pp. 1- new strong password-based protocol. In Proceedings of the 3). IEEE. 10th USENIX Security Symposium (pp. 313-321). [6] Badra, M., & Urien, P. (2004, March). Toward SSL [22] Jablon, D. P. (1997, June). Extended password key integration in SIM smartcards. In 2004 IEEE Wireless exchange protocols immune to dictionary attack. Communications and Networking Conference (IEEE Cat. In Proceedings of IEEE 6th Workshop on Enabling No. 04TH8733) (Vol. 2, pp. 889-893). IEEE. Technologies: Infrastructure for Collaborative [7] Markantonakis, K., & Mayes, K. (2005). A Secure Enterprises (pp. 248-255). IEEE. Channel protocol for multi-application smart cards based on [23] Wu, T. D. (1998, March). The Secure Remote Password public key cryptography. In Communications and Protocol. In NDSS (Vol. 98, pp. 97-111). Multimedia Security (pp. 79-95). Springer, Boston, MA. [24] Kwon, T. (2000). Ultimate solution to authentication via [8] Handschuh, H., & Paillier, P. (1998, September). Smart memorable password. Contribution to the IEEE P1363 Study card crypto-coprocessors for public-key cryptography. Group. In International Conference on Smart Card Research and [25] Lee, W. C. (1995). Mobile cellular telecommunications: Advanced Applications (pp. 372-379). Springer, Berlin, analog and digital systems. McGraw-Hill Professional. Heidelberg.

1030